#184 CORS request not http

Closed
opened 5 months ago by Marc05 · 7 comments
Marc05 commented 5 months ago

I use the addons Privacy-Oriented Origin Policy and uBlock Origin along with this addon; I get the following message in the Firefox browser console:
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at moz-extension://8146191d-bdfd-4528-86de-1dc69c3b0507/resources/fontawesome/5.15.1/css/all.min.css. (Reason: CORS request not http).
This is probably because I need rules in POOP like there are for uBlock Origin, however, I'm not sure.

I use the addons Privacy-Oriented Origin Policy and uBlock Origin along with this addon; I get the following message in the Firefox browser console: `Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at moz-extension://8146191d-bdfd-4528-86de-1dc69c3b0507/resources/fontawesome/5.15.1/css/all.min.css. (Reason: CORS request not http).` This is probably because I need rules in POOP like there are for uBlock Origin, however, I'm not sure.
Marc05 commented 5 months ago
Poster

Adding 0:: ^moz-extension://* to the whitelist in POOP worked. Perhaps this can be referenced somewhere in the LocalCDN settings (e.g. under "Generate rule sets for your adblocker").

Adding `0:: ^moz-extension://*` to the whitelist in POOP worked. Perhaps this can be referenced somewhere in the LocalCDN settings (e.g. under "Generate rule sets for your adblocker").
nobody commented 5 months ago
Owner

Thanks for your information. Do you know a website where this works? My previous tests have failed. It also depends on the webserver.

Thanks for your information. Do you know a website where this works? My previous tests have failed. It also depends on the webserver.
Marc05 commented 5 months ago
Poster

I was trying it on dndbeyond.com but I can no longer reproduce it. I don't even see the fontawesome url being used when in the Network tab.

Additionally, perhaps this is relevant:
https://bugzilla.mozilla.org/show_bug.cgi?id=1419459

I was trying it on dndbeyond.com but I can no longer reproduce it. I don't even see the fontawesome url being used when in the Network tab. Additionally, perhaps this is relevant: https://bugzilla.mozilla.org/show_bug.cgi?id=1419459
nobody added the
question/discussion
label 5 months ago
nobody commented 5 months ago
Owner

I don’t even see the fontawesome url being used when in the Network tab.

Have you disabled the cache?

Additionally, perhaps this is relevant: https://bugzilla.mozilla.org/show_bug.cgi?id=1419459

I know the bugreport. It's about detecting a CORS error and handling it inside the extension, e.g. allowing a request to a CDN. This is currently not possible because an extension doesn't know if it is a CORS error.

> I don’t even see the fontawesome url being used when in the Network tab. Have you disabled the cache? > Additionally, perhaps this is relevant: https://bugzilla.mozilla.org/show_bug.cgi?id=1419459 I know the bugreport. It's about detecting a CORS error and handling it inside the extension, e.g. allowing a request to a CDN. This is currently not possible because an extension doesn't know if it is a CORS error.
Marc05 commented 5 months ago
Poster

I'm using arkenfox user.js which disables many things, though I did re-enable browser.cache.disk.enable. Perhaps there's something else there that's blocking it.

I'm using arkenfox user.js which disables many things, though I did re-enable `browser.cache.disk.enable`. Perhaps there's something else there that's blocking it.
nobody commented 5 months ago
Owner

Last time (June 2020) when I was looking for a way to manipulate the HTTP header, I couldn't find a way to do that. I also tested Privacy-Oriented Origin Policy and Laboratory. Both did not work.

In the end it is a security mechanism that is very good. You can probably disable the CORS behavior in Firefox Nightly and/or Beta in about:config, but then it's global for all websites. This is very bad for security.

If you have new information, please reopen this issue.

Last time (June 2020) when I was looking for a way to manipulate the HTTP header, I couldn't find a way to do that. I also tested [Privacy-Oriented Origin Policy](https://addons.mozilla.org/de/firefox/addon/privacy-oriented-origin-policy/) and [Laboratory](https://addons.mozilla.org/de/firefox/addon/laboratory-by-mozilla/). Both did not work. In the end it is a security mechanism that is very good. You can probably disable the CORS behavior in Firefox Nightly and/or Beta in `about:config`, but then it's global for all websites. This is very bad for security. If you have new information, please reopen this issue.
nobody added the
sop/cors
label 5 months ago
nobody closed this issue 5 months ago
nobody added the
observation
label 5 months ago
nobody added the
duplicate
label 5 months ago
nobody removed the
observation
label 1 month ago
nobody commented 14 hours ago
Owner
see [#369 Information about SOP/CORS related issues](https://codeberg.org/nobody/LocalCDN/issues/369)
Sign in to join this conversation.
No Milestone
No Assignees
2 Participants
Notifications
Due Date

No due date set.

Dependencies

This issue currently doesn't have any dependencies.

Loading…
There is no content yet.